Skip to main content
To KTH's start page To KTH's start page

Certificate types

Here you can find information about the certificate types available at KTH.

What certificate types are available?

At KTH the types of server certificates you can use are

  • Primarily: "GÉANT OV Multi-Domain" (Multi-domain) – use 2048 and SHA256 (see below)
    • This certificate type allow a number of SANs (Subject Alternate Names) to be used, i.e. additional names that refer to the same server.
  • There is also Extended Validation (EV) certificates. However, these should only be used for very important services. Contact certadm@kth.se.
  • Normally wildcard certificates (* .xxx.kth.se) are not permitted, but if you have a special use case, please contact certadm@kth.se.

The certificate types are described at

Why standardize on key length 2048 rather than 4096?

As larger keys are more secure, they also generate a larger load on and worse performance of servers and other hardware.

According to NIST, a key length of 2048 corresponds to 112 bits of symmetric encryption, and should be secure until 2030.

The difference between 2048 and 4096?

  • Strength is exponentially increased, using 4–7 times more CPU.
  • Signing is slower.
  • Establishing connections (handshakes) becomes significantly slower and uses more CPU during the handshake.
  • Fewer simultaneous SSL connections can be used to a web server (or cluster).
  • Compatibility issues with 3rd party products that do not support larger keys than 2048 bits.

Performance of a server can be tested using the command

  openssl speed rsa

As an example, from a computer with an Intel i7-4770S, i.e. 4 core CPU running at 3.1 GHz:

  sign verify sign/s verify/s

rsa  512 bits 0.000114s 0.000011s 8785.3 94943.8

rsa 1024 bits 0.000632s 0.000033s 1581.7 29878.7

rsa 2048 bits 0.004090s 0.000127s  244.5 7843.4

rsa 4096 bits 0.030865s 0.000483s   32.4 2068.5